| 2020-08-22 02:58:15 |
Seth Arnold |
bug |
|
|
added bug |
| 2020-08-22 02:58:42 |
Seth Arnold |
bug task added |
|
pam-pkcs11 (Ubuntu) |
|
| 2020-08-22 02:59:06 |
Seth Arnold |
bug task added |
|
pcsc-perl (Ubuntu) |
|
| 2020-08-22 02:59:17 |
Seth Arnold |
bug task added |
|
opensc (Ubuntu) |
|
| 2020-08-22 02:59:31 |
Seth Arnold |
bug task added |
|
pcsc-tools (Ubuntu) |
|
| 2020-08-22 03:00:20 |
Seth Arnold |
bug |
|
|
added subscriber MIR approval team |
| 2020-08-22 03:02:53 |
Seth Arnold |
bug |
|
|
added subscriber Vineetha Kamath |
| 2020-08-25 14:46:19 |
Christian Ehrhardt |
ccid (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2020-08-25 14:46:21 |
Christian Ehrhardt |
opensc (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2020-08-25 14:46:23 |
Christian Ehrhardt |
pam-pkcs11 (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2020-08-25 14:46:25 |
Christian Ehrhardt |
pcsc-perl (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2020-08-25 14:46:26 |
Christian Ehrhardt |
pcsc-tools (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2020-08-26 11:30:13 |
Christian Ehrhardt |
bug task added |
|
pcsc-lite (Ubuntu) |
|
| 2020-08-26 11:30:21 |
Christian Ehrhardt |
summary |
[MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools |
[MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite |
|
| 2020-08-26 11:30:26 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2020-08-27 03:24:27 |
Seth Arnold |
description |
==> ccid <==
[Availability]
ccid is in universe, and builds on all architectures.
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
No CVEs for ccid are listed in our database.
Doesn't appear to bind to a socket.
No privileged executables, but does have udev rules.
Probably needs a security review.
[Quality assurance]
No test suite.
Does require odd hardware that we'll probably need to buy.
I don't see debconf questions.
ccid is well maintained in Debian by upstream author.
One open wishlist bug in BTS, harmless.
One open bug in launchpad, not security, but looks very frustrating
for the users. The upstream author was engaged but it never reached
resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465
Has a debian/watch file.
Quilt packaging.
P: ccid source: no-dep5-copyright
P: ccid source: package-uses-experimental-debhelper-compat-version 13
[Dependencies]
Minimal dependencies, in main
[Standards compliance]
Appears to satisfy FHS and Debian policy
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
ccid provides drivers to interact with usb-connected smart card readers.
==> libpam-pkcs11 <==
[Availability]
Source package pam-pkcs11 is in universe and builds on all architectures.
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
No CVEs in our database.
Doesn't appear to bind to sockets.
No privileged executables (but is a PAM module).
As a PAM module this will require a security review.
[Quality assurance]
The package does not call pam-auth-update in its postinst #1650366
Does not ask questions during install.
One Ubuntu bug claims very poor behaviour if a card isn't plugged in.
No Debian bugs.
Occasional updates in Debian by long-term maintainer.
Does require odd hardware that we'll probably need to buy.
Does not appear to run tests during build.
Has scary warnings in the build logs.
Has a debian/watch file.
Ancient standards version; other smaller lintian messages, mostly
documentation problems.
Quilt packaging.
[Dependencies]
Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1
All are in main.
[Standards compliance]
The package does not call pam-auth-update in its postinst #1650366
Otherwise looks to conform to FHS and Debian policies
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
This PAM module can use CRLs and full-chain verification of certificates.
It can also do LDAP, AD, and Kerberos username mapping.
==> libpcsc-perl <==
[Availability]
Source package pcsc-perl is in universe, builds for all architectures,
plus i386
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
There are no cves for pcsc-perl in our database.
No privileged executables.
Doesn't appear to bind to sockets.
Probably needs a security review.
[Quality assurance]
Library package not intended to be used directly.
No debconf questions.
No bugs in Debian.
No bugs in Ubuntu.
Does require odd hardware that we'll probably need to buy.
Tests exist, not run during the build; probably can't run during the build.
Includes debian/watch file.
A handful of lintian issues
Quilt packaging.
[Dependencies]
libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0.
All are in main.
[Standards compliance]
One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/
Many other perl packages have .pod files in these directory trees so maybe
it's fine, but it seems funny all the same.
Otherwise appears to satisfy FHS and Debian policy.
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
Dependency of pcsc-tools; this library provides an API to work with smart
cards and card readers.
==> opensc <==
[Availability]
Both opensc and opensc-pkcs11
In universe, builds for all architectures.
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
26 CVEs in our database. None open in groovy.
No privileged executables.
Does not appear to bind to sockets.
Probably needs a security review.
[Quality assurance]
Unknown configuration effort.
No debconf questions.
Several recent Ubuntu bugs ask for updates to newer versions for bugfixes.
A recent Debian bug reports a FTBFS, includes a fix, and has been ignored
for months.
Does require odd hardware that we'll probably need to buy.
Includes a test suite, most of which is skipped; unknown quality, looks
like a bit more than usual smoke testing.
Includes a debian/watch file.
Handful of small lintian warnings.
Quilt packaging.
[Dependencies]
Recommends: pcscd from universe
[Standards compliance]
Appears to follow FHS, Debian policy.
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
Provides a pkcs#11 library for interacting with many models of smartcards.
==> pcsc-tools <==
[Availability]
Built in groovy for all architectures
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
No CVEs in our database for pcsc-tools.
Doesn't appear to bind to sockets.
No privileged executables.
Probably needs a security review.
[Quality assurance]
It looks like it works out of the box.
No debconf questions.
One bug in Ubuntu, it doesn't make much sense.
No bugs in Debian.
Looks to be regularly updated in Debian.
Does require odd hardware that we'll probably need to buy.
Doesn't look like it includes a test suite.
Includes a debian/watch file.
Very short lintian --pedantic output.
Quilt packaging.
[Dependencies]
Depends upon libpcsclite1, libpcsc-perl, libgtk3-perl.
libpcsc-perl is in universe.
[Standards compliance]
Appears to adhere to FHS, Debian policy.
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
This package provides general utilities for smartcards; it's possible that
we do not strictly need this package for our use case. |
==> ccid <==
[Availability]
ccid is in universe, and builds on all architectures.
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
No CVEs for ccid are listed in our database.
Doesn't appear to bind to a socket.
No privileged executables, but does have udev rules.
Probably needs a security review.
[Quality assurance]
No test suite.
Does require odd hardware that we'll probably need to buy.
I don't see debconf questions.
ccid is well maintained in Debian by upstream author.
One open wishlist bug in BTS, harmless.
One open bug in launchpad, not security, but looks very frustrating
for the users. The upstream author was engaged but it never reached
resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465
Has a debian/watch file.
Quilt packaging.
P: ccid source: no-dep5-copyright
P: ccid source: package-uses-experimental-debhelper-compat-version 13
[Dependencies]
Minimal dependencies, in main
[Standards compliance]
Appears to satisfy FHS and Debian policy
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
ccid provides drivers to interact with usb-connected smart card readers.
==> libpam-pkcs11 <==
[Availability]
Source package pam-pkcs11 is in universe and builds on all architectures.
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
No CVEs in our database.
Doesn't appear to bind to sockets.
No privileged executables (but is a PAM module).
As a PAM module this will require a security review.
[Quality assurance]
The package does not call pam-auth-update in its postinst #1650366
Does not ask questions during install.
One Ubuntu bug claims very poor behaviour if a card isn't plugged in.
No Debian bugs.
Occasional updates in Debian by long-term maintainer.
Does require odd hardware that we'll probably need to buy.
Does not appear to run tests during build.
Has scary warnings in the build logs.
Has a debian/watch file.
Ancient standards version; other smaller lintian messages, mostly
documentation problems.
Quilt packaging.
[Dependencies]
Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1
All are in main.
[Standards compliance]
The package does not call pam-auth-update in its postinst #1650366
Otherwise looks to conform to FHS and Debian policies
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
This PAM module can use CRLs and full-chain verification of certificates.
It can also do LDAP, AD, and Kerberos username mapping.
==> libpcsc-perl <==
[Availability]
Source package pcsc-perl is in universe, builds for all architectures,
plus i386
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
There are no cves for pcsc-perl in our database.
No privileged executables.
Doesn't appear to bind to sockets.
Probably needs a security review.
[Quality assurance]
Library package not intended to be used directly.
No debconf questions.
No bugs in Debian.
No bugs in Ubuntu.
Does require odd hardware that we'll probably need to buy.
Tests exist, not run during the build; probably can't run during the build.
Includes debian/watch file.
A handful of lintian issues
Quilt packaging.
[Dependencies]
libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0.
All are in main.
[Standards compliance]
One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/
Many other perl packages have .pod files in these directory trees so maybe
it's fine, but it seems funny all the same.
Otherwise appears to satisfy FHS and Debian policy.
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
Dependency of pcsc-tools; this library provides an API to work with smart
cards and card readers.
==> opensc <==
[Availability]
Both opensc and opensc-pkcs11
In universe, builds for all architectures.
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
26 CVEs in our database. None open in groovy.
No privileged executables.
Does not appear to bind to sockets.
Probably needs a security review.
[Quality assurance]
Unknown configuration effort.
No debconf questions.
Several recent Ubuntu bugs ask for updates to newer versions for bugfixes.
A recent Debian bug reports a FTBFS, includes a fix, and has been ignored
for months.
Does require odd hardware that we'll probably need to buy.
Includes a test suite, most of which is skipped; unknown quality, looks
like a bit more than usual smoke testing.
Includes a debian/watch file.
Handful of small lintian warnings.
Quilt packaging.
[Dependencies]
Recommends: pcscd from universe
[Standards compliance]
Appears to follow FHS, Debian policy.
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
Provides a pkcs#11 library for interacting with many models of smartcards.
==> pcsc-tools <==
[Availability]
Built in groovy for all architectures
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
No CVEs in our database for pcsc-tools.
Doesn't appear to bind to sockets.
No privileged executables.
Probably needs a security review.
[Quality assurance]
It looks like it works out of the box.
No debconf questions.
One bug in Ubuntu, it doesn't make much sense.
No bugs in Debian.
Looks to be regularly updated in Debian.
Does require odd hardware that we'll probably need to buy.
Doesn't look like it includes a test suite.
Includes a debian/watch file.
Very short lintian --pedantic output.
Quilt packaging.
[Dependencies]
Depends upon libpcsclite1, libpcsc-perl, libgtk3-perl.
libpcsc-perl is in universe.
[Standards compliance]
Appears to adhere to FHS, Debian policy.
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
This package provides general utilities for smartcards; it's possible that
we do not strictly need this package for our use case.
==> libpcsclite1 <==
[Availability]
pcsc-lite is in universe, and builds on all architectures.
[Rationale]
The desktop team and security team are interested in bringing smartcard
authentication to enterprise desktop environments.
[Security]
Five CVEs for pcsc-lite are listed in our database.
Doesn't appear to bind to a socket.
No executables, only a library.
Probably needs a security review.
[Quality assurance]
There is a testpcsc.c file that is compiled but I don't know how to use it
for tests.
Does require odd hardware that we'll probably need to buy.
I don't see debconf questions.
pcsc-lite is well maintained in Debian by upstream author.
There are a handful of open bugs in Debian, the author was very repsonsive
on the hndful I inspected, it looks like some cases of misunderstood
capabilities, cases of conflicting requirements, etc. Nothing looked
concerning:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=pcsc-lite
The most recent Ubuntu bugs are due to (a) 14.04 systemd problems (b)
errors from drivers assigned to the wrong package (c) probably due to use
of insserv rather than plain systemd:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bugs?orderby=-id&start=0
Nothing looked concerning.
Has a debian/watch file.
Quilt packaging.
P: pcsc-lite source: no-dep5-copyright
P: pcsc-lite source: package-uses-experimental-debhelper-compat-version 13
[Dependencies]
libpcsclite1 depends upon libc6.
[Standards compliance]
Appears to satisfy FHS and Debian policy
[Maintenance]
The desktop team will subscribe to bugs, however it is expected that the
security team will assist with security-relevant questions.
[Background information]
libpcsclite1 provides windows smart-card API to interact with smart card
readers. |
|
| 2020-08-31 10:17:15 |
Christian Ehrhardt |
ccid (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
Ubuntu Security Team (ubuntu-security) |
|
| 2020-08-31 10:18:53 |
Christian Ehrhardt |
opensc (Ubuntu): status |
New |
Incomplete |
|
| 2020-08-31 10:19:02 |
Christian Ehrhardt |
opensc (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
Ubuntu Security Team (ubuntu-security) |
|
| 2020-08-31 12:38:39 |
Christian Ehrhardt |
pam-pkcs11 (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
Ubuntu Security Team (ubuntu-security) |
|
| 2020-08-31 13:00:43 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): status |
New |
Incomplete |
|
| 2020-08-31 13:12:17 |
Christian Ehrhardt |
pcsc-perl (Ubuntu): status |
New |
Invalid |
|
| 2020-08-31 13:12:20 |
Christian Ehrhardt |
pcsc-tools (Ubuntu): status |
New |
Invalid |
|
| 2020-08-31 13:12:23 |
Christian Ehrhardt |
pcsc-perl (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
|
|
| 2020-08-31 13:12:25 |
Christian Ehrhardt |
pcsc-tools (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
|
|
| 2020-08-31 13:12:27 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
|
|
| 2020-08-31 14:43:19 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): assignee |
|
Seth Arnold (seth-arnold) |
|
| 2020-09-15 14:54:55 |
Seth Arnold |
pcsc-lite (Ubuntu): status |
Incomplete |
New |
|
| 2020-09-15 14:55:24 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): assignee |
Seth Arnold (seth-arnold) |
Christian Ehrhardt (paelzer) |
|
| 2020-09-16 11:39:12 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): assignee |
Christian Ehrhardt (paelzer) |
Ubuntu Security Team (ubuntu-security) |
|
| 2020-09-16 11:40:32 |
Christian Ehrhardt |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930530 |
|
| 2020-10-07 22:27:29 |
Seth Arnold |
bug |
|
|
added subscriber Joy Latten |
| 2021-04-29 20:30:07 |
Seth Arnold |
pam-pkcs11 (Ubuntu): status |
New |
Invalid |
|
| 2021-04-29 20:30:11 |
Seth Arnold |
pam-pkcs11 (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2021-04-30 07:18:11 |
Sebastien Bacher |
summary |
[MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite |
[MIR] ccid llibpcsc-perl opensc pcsc-tools pcsc-lite |
|
| 2021-04-30 07:18:14 |
Sebastien Bacher |
summary |
[MIR] ccid llibpcsc-perl opensc pcsc-tools pcsc-lite |
[MIR] ccid libpcsc-perl opensc pcsc-tools pcsc-lite |
|
| 2021-04-30 07:47:10 |
Sebastien Bacher |
summary |
[MIR] ccid libpcsc-perl opensc pcsc-tools pcsc-lite |
[MIR] ccid opensc pcsc-lite |
|
| 2021-04-30 10:13:20 |
Sebastien Bacher |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987817 |
|
| 2021-05-04 14:47:14 |
Seth Arnold |
removed subscriber Joy Latten |
|
|
|
| 2021-05-12 20:19:19 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
| 2021-10-06 02:11:14 |
Ray Veldkamp |
bug |
|
|
added subscriber Ray Veldkamp |
| 2021-10-27 10:59:04 |
Sebastien Bacher |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=997932 |
|
| 2022-01-19 07:04:02 |
Ray Veldkamp |
ccid (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
Ray Veldkamp (rayveldkamp) |
|
| 2022-01-19 07:04:31 |
Ray Veldkamp |
ccid (Ubuntu): status |
New |
In Progress |
|
| 2022-01-20 15:15:08 |
Sebastien Bacher |
pcsc-lite (Ubuntu): importance |
Undecided |
Medium |
|
| 2022-05-11 20:39:52 |
Steve Beattie |
tags |
|
sec-407 |
|
| 2022-05-11 20:40:20 |
Steve Beattie |
tags |
sec-407 |
sec-407 sec-408 sec-409 |
|
| 2022-09-13 08:55:27 |
Steve Beattie |
ccid (Ubuntu): assignee |
Ray Veldkamp (rayveldkamp) |
Ubuntu Security Team (ubuntu-security) |
|
| 2022-11-10 16:28:09 |
Mark Esler |
ccid (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2022-11-10 16:28:13 |
Mark Esler |
opensc (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2022-11-10 16:28:16 |
Mark Esler |
pcsc-lite (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2022-11-10 16:28:27 |
Mark Esler |
bug |
|
|
added subscriber Mark Esler |
| 2022-11-15 15:44:49 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): status |
New |
Incomplete |
|
| 2022-11-16 14:54:27 |
Lukas Märdian |
tags |
sec-407 sec-408 sec-409 |
fr-2980 sec-407 sec-408 sec-409 |
|
| 2023-06-13 14:50:09 |
Christian Ehrhardt |
opensc (Ubuntu): status |
Incomplete |
Invalid |
|
| 2023-06-13 14:50:13 |
Christian Ehrhardt |
pcsc-lite (Ubuntu): status |
Incomplete |
Invalid |
|
